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Abstract. Consider the following generalized hidden shift problem: 
given a function / on {0, . . . , M — 1} x Zjv satisfying f{b,x) = /(6+1, x + 
s) for fe = 0, 1, . . . , Af - 2, find the unknown shift s e Zjv. For M = iV, 
this problem is an instance of the abelian hidden subgroup problem, 
^ I which can be solved efficiently on a quantum computer, whereas for 

■ M = 2, it is equivalent to the dihedral hidden subgroup problem, for 

0^ ' which no efficient algorithm is known. For any fixed positive e, we give an 

efficient (i.e., poly(log A'^)) quantum algorithm for this problem provided 
M > N"^. The algorithm is based on the "pretty good measurement" 
and uses If. Lenstra's (classical) algorithm for integer programming as 
a subroutine. 



Ch ' !• Introduction 

^ . 

^ . Quantum mechanical computers can solve certain problems asymptoti- 

cally faster than classical computers, but the extent of this advantage is not 
well understood. The most significant example of quantum computational 
^ I speedup, Shor's algorithm for factoring and calculating discrete logarithms 

' dni) is essentially based on an efficient quantum algorithm for the abelian 

hidden subgroup problem. This naturally leads to the question of whether 
the general nonabelian hidden subgroup problem can be solved efficiently on 
a quantum computer. Although efficient algorithms are known for a number 
of special cases of this problem pi llUfrr^ll4lll5ll21j . the two cases known to 
have significant applications, the dihedral group and the symmetric group, 
remain unsolved. In particular, an efficient quantum algorithm for the hid- 
den subgroup problem (hsp) over the symmetric group would lead to an 
efficient quantum algorithm for graph isomorphism j^lH], and an efficient 
quantum algorithm for the dihedral HSP would lead to efficient quantum 
algorithms for certain lattice problems |24j . 

Although no polynomial-time algorithm is known for the dihedral HSP, 
Kuperberg recently discovered a sub exponential-time quantum algorithm 
|18j . Kuperberg's algorithm uses a super polynomial amount of time, space, 
and queries; Regev subsequently improved the space requirement to be only 
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polynomial These algorithms are closely related to a connection be- 

tween the dihedral hsp and an average case subset sum problem observed 
by Regev fMJ . 

Recently, together with Bacon, we have developed an approach to the 
hidden subgroup problem based on the "pretty good measurement" (pgm) 
Oin]. In this approach, the pgm is used to distinguish the members of an 
ensemble of quantum states corresponding to the various possible hidden 
subgroups. For a variety of groups that can be written as the semidirect 
product of an abelian group and a cyclic group of prime order, we found 
that this measurement is closely related to a certain kind of average case 
algebraic problem. In particular, the measurement succeeds when the alge- 
braic problem is likely to have a solution, and can be implemented if the 
solutions to that problem can be found. For the dihedral group, this problem 
is simply the average case subset sum problem |2|; more generally, we refer 
to it as the matrix sum problem. In some cases, the matrix sum problem 
can be solved, giving an efficient quantum algorithm for the corresponding 
hidden subgroup problem [3]. However, since the average case subset sum 
problem appears to be difficult, this approach has not yielded an improved 
algorithm for the dihedral HSP. 

In this article, we show how the pgm approach provides an efficient 
quantum algorithm for a problem that interpolates between the abelian and 
dihedral hidden subgroup problems. The dihedral hsp is equivalent to the 
hidden shift problem, in which the goal is to determine a hidden shift s G Z^v 
given two injective functions /o,/i satisfying /o(x) = fi{x + s). Instead of 
only two such functions, we consider M such functions, each one shifted 
from the previous by a fixed hidden shift s. If M = A^, this problem is an 
instance of the abelian hsp on Zjv x Z/vr with the hidden subgroup ((1, s)), 
which can be solved efficiently using abelian Fourier sampling. Even the 
case M = A'^ is classically intractable, and the problem only becomes more 
difficult for smaller M. In particular, for M <^ N, abelian Fourier sampling 
fails to determine the hidden shift. Using the pgm approach, we give, for 
any fixed integer A; > 3, an efficient quantum algorithm that solves this 
problem for M = [N^^^] . The algorithm works by implementing a joint 
measurement on k copies of certain quantum states that encode the hidden 
shift. Because for each M > M' the generalized hidden shift problem on 
{0, . . . , M — 1} X Z^r can be reduced to the generalized hidden shift problem 
on {0, ... , M' — 1} X Zjy, for any fixed e > 0, this gives an efficient quantum 
algorithm for all M > N"^. 

By applying the general PGM approach developed in [21, we find that 
the matrix sum problem corresponding to the generalized hidden shift prob- 
lem is the following: given uniformly random x G and u) G Z^r, find 
b G {0, . . . ,M — 1}^ such that b ■ x mod N = w. As this is a linear Dio- 
phantine equation with convex constraints, it is an instance of integer pro- 
gramming, and can be solved using Hendrik Lenstra's algorithm for that 
problem which is efficient as long as the dimension k is constant. Thus 
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our algorithm for the generahzed hidden shift problem reiterates a theme of 
by combining abelian quantum Fourier transforms with nontrivial clas- 
sical (or quantum) algorithms, one can find efficient quantum algorithms for 
HSP-like problems via the implementation of entangled quantum measure- 
ments. This result is encouraging since entangled measurements are known 
to be necessary for some hidden subgroup problems — in particular, for the 
symmetric group ^22;. 

The remainder of this article is organized as follows. In Section [21 we 
describe the generalized hidden shift problem in detail and explain how it 
can be viewed as a quantum state distinguishability problem. In Section |3J 
we review the pretty good measurement approach to such problems, prove 
that this approach solves the generalized hidden shift problem when the 
number of states is A; > [1/e], and explain how it can be implemented by 
solving an appropriate matrix sum problem. In Section0J we explain how the 
matrix sum problem can be solved efficiently (for constant k) using Lenstra's 
algorithm for integer programming. Finally, we conclude in Section [S] with 
a discussion of the results and some open questions. 

2. The generalized hidden shift problem 

It is well known that the dihedral hsp is equivalent to the hidden shift 
problem, which is defined as follows. Given two injective functions fo : ^ 
S and fi : Z^r — > S (where S is some finite set) satisfying fo{x) = fi{x + s) 
for some unknown s G Zjv, find s. For a proof of this equivalence, see 
Theorem 2 of jU] and Proposition 6.1 of ^H]- For certain explicit functions 
of interest, such as the Legendre symbol, the hidden shift problem can be 
solved efficiently on a quantum computer j7j. However, for arbitrary black 
box functions, no efficient algorithm for the hidden shift problem is known. 

A natural generalization of this problem, which we call the generalized 
hidden shift problem, is as follows. Consider a single function / : {0, . . . ,M — 
1} X Zjy S satisfying two conditions: (a) for fixed b, f{b,x) : Zjy — > S 
is injective and (b) f{b, x) = f{b + 1, x + s) for b = 0,1, . . . , M — 2 for 
some fixed s € Z^r. Given such a function, our goal is again to find the 
hidden shift s. For M = 2, this problem is simply the usual hidden shift 
problem (with fbix) = f{b,x) for 5 = 0,1), and hence is equivalent to the 
dihedral hsp. For M = N , this problem is an instance of the abelian hidden 
subgroup problem (where the hidden subgroup is ((l,s)) < Za? x Z^r). As 
a step toward understanding the dihedral HSP, we would like to investigate 
the difficulty of the problem for intermediate values of M. (Note that for 
intermediate values of M, the generalized hidden shift problem is apparently 
not an instance of the hsp for any group.) 

On a quantum computer, this problem can be turned into a state distin- 
guishability problem in the same manner as the standard approach to the 
hidden subgroup problem. Prepare a uniform superposition over all values 
of 6 G {0, . . . , M — 1} and x G Ztv and then compute the value of f{b, x). 
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giving the state 

A/-1 



b=0 xGZn 

Then measure the third register, giving the state 

^ Af-l 

\^,^,):=^\b,x + bs) (2) 

for some unknown x ^ Zj^f. Equivalently, the result is the mixed state 
described by the density matrix 

Ps-=i?Yl \(t>x,s){(l)x,s\ ■ (3) 



Using a single copy of the state, we can identify s by the standard period 
finding algorithm (e.g., as in Shor's algorithm) only when M is very large. 
Given the state \4>x,s), we can try to find s by applying the Fourier transform 
over Zat X Ztv to the two registers, which yields the state 

M-l 

= y u;^'" y cu^(J'+^^)|y,z), (4) 



where uj := exp(27ri/A^). In the case M = N , this state equals 

^ 5: c-l (5) 

Measuring in the computational basis, we will observe {—sz, z) for a uni- 
formly random z ^TL^. If z is invertible modulo A^, which happens with 
probability 17(1/ log log A^), then we can deduce s immediately from the val- 
ues —sz and z. However, in general, for M < N , the outcome will only 
be of the form {-sz,z) with probability M/N. If M < N" with e < 1, 
this probability is exponentially small in logA^, and the approach fails. A 
similar argument shows that an analogous approach using a Fourier trans- 
form over Zjvf x Zjv followed by a computational basis measurement also 
fails for M <^ N. (Note that poly(log N) such classical samples information 
theoretically determine the answer even for M = 2 but it is not known 
how to process this data efficiently.) 

Instead, we will use A; > 1 states and apply the pretty good measurement. 
To see the connection to the matrix sum problem, it is helpful to write these 
states in a different basis. Fourier transforming the second register over Z^r, 
we find 



Ps 



E E u;(^-™)l6,x)(c,x|. (6) 



x£Z>L b,ce{0,...,Af-l}'= 
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I 



which are uniform superpositions over the sohitions of the matrix sum prob- 
lem, 

S^:={be{0,...,M-l}'' ■.b-x = w mod N} . (8) 
Here the number of solutions is rj^ := \S^\. If there are no solutions (i.e., if 
— 0)) then we define 15^) := 0. In terms of these states, we can rewrite 
® as 

pf = 7]^H E ^^""'^'v^|5S,^>(5:,x|. (9) 

Given such a state, we would like to determine the value of s. 

3. Pretty good measurement approach 

In this section, we review the pgm approach to distinguishing hidden 
subgroup states as applied to the generalized hidden shift states @. 

The pretty good measurement (also known as the square root measure- 
ment or least squares measurement) is a measurement that often does well 
at distinguishing the members of an ensemble of quantum states |13j (and 
in fact is sometimes optimal in a certain sense). For an ensemble of states 
{cTj} with equal a priori probabilities, the pretty good measurement is the 
POVM with elements 

E, := (10) 

where 

S:=^a,- (11) 

j 

and where the inverse is taken over the support of the ensemble. 
For the states Q, the pgm normalization matrix is 

giving POVM elements 

The probability of successfully identifying the hidden shift s is indepen- 
dent of s, and is given by 

Pr(success) := tr£;s,5f*= (14) 

E E • (15) 
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Using this expression, we can show that the success probabihty is appreciable 
when the matrix sum problem is likely to have a solution. Specifically, we 
have 

Lemma 1 (Lemma 2 of 0). IfFr{ri^ for uniformly random 

X S and w € Ijn (i-^-, if rnost instances of the matrix sum problem have 
many solutions), then a/S^N/M^ < Pr(success) < M^/N. 

Proof. For the upper bound, we have 

Pr(success) < ^ J] ^ = _ (16) 



since the ?7's are integers and XlwgZjv ~ ^'^y -^^'^ lower 

bound, we have 



Pr(success) > E E V^j 



(17) 



by Cauchy's inequality applied to (|T5|) . Now 

E E ^ ^^Pr(ryS > a) , (18) 



so by the hypothesis, Pr (success) > aP^N/M" as claimed. □ 

yk 



For uniformly random x G and w G Z^v, the expected number of 



matrix sum solutions is 



^:=E[r?:] = — , (19) 



where we have again used the fact that Ylw ~ ^ ^'-'^ Thus, 
we expect the matrix sum problem to typically have no solutions for k <C 
log A^/ log M, many solutions for k ^ log A^/log Af, and a constant number 
of solutions for k ~ log N/ log M. This intuition can be formalized as follows: 

Lemma 2. For the generalized hidden shift problem with M = [N^^^] 
with k > 3 and N sufficiently large, Pr(l < r]^ < 4:) is lower bounded by a 
constant. 

A proof is given in the appendix. 

Together, Lemmas ^ and 121 show that the pgm has at least a constant 
probability of successfully identifying the hidden shift. In fact, it turns out 
that the pgm is the povm that maximizes the probability of successfully 
determining s given the states 0- For more details, we refer the reader to 
Section 4 of |2j and Section 4.4 of 3 . 

Finally, to give an efficient algorithm based on the PGM, we must show 
how the measurement can be implemented efficiently on a quantum com- 
puter. Such an implementation can be achieved using Neumark's theorem 
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j2,Sj ■ which states that any povm can be reahzed by a unitary transforma- 
tion U on the system together with an anciha followed by a measurement 
in the computational basis. For a povm consisting of rank one operators 
Fj = \fj){fj\ in a Z?-dimensional Hilbert space, U has the block form 

where the rows of the N x D matrix V are the D-vectors {fj\, i.e., V = 
SjLi \ j){fj\- (III particular, if all the vectors \fj) have unit length, as will 
be the case below, X = 0.) 

Recall from (|13|) that the povm operators for the pgm on hidden sub- 
group states can be written 

Ej = Yl E^^\x){x\ (21) 

where 



with 



E^:=\e]){e]\ (22) 
1 



E^""'I^S>- (23) 

In other words, each Ej is block diagonal, with blocks labeled by x G Z^, and 
where each block is rank one. Thus, the measurement can be implemented 
in a straightforward way by first measuring the block label x and then 
performing the POVM {Ej}j^zM conditional on the first measurement result. 

To implement the povm {E'jljgg^ using Neumark's theorem, we would 
like to implement the unitary transformation with the upper left sub- 
matrix 

j,W&ZM 

It is convenient to perform a Fourier transform (over Z^v) on the left (i.e., 
on the index j), giving a unitary operator with upper left submatrix 

^' = i E (25) 

= E (26) 

Therefore, the PGM can be implemented efficiently if we can efficiently per- 
form a unitary transformation satisfying 

\w,x)^\Sl,x) (27) 

for all matrix sum instances {x, w) with t/^ > 0. We refer to (|27|) as quan- 
tum sampling of solutions to the matrix sum problem. If we can efficiently 
quantum sample from matrix sum solutions, then by running the circuit in 
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reverse, we can efficiently implement U^, and hence the desired measure- 
ment. 

By applying these unitary transformations directly to the state ©, we 
can obtain a description of the algorithm without reference to generalized 
measurement. Performing the inverse of the quantum sampling transforma- 
tion (|27|) followed by a Fourier transform, we obtain the state 

P''-=^Y. \p'x^^)ip'x,^\ (28) 



where 



\px) 



Roughly speaking, if the distribution of r]^ is close to uniform, then the sum 
over w in H29|) is close to zero unless j = s, so that a measurement of the 
first register is likely to yield the hidden shift s. 

In general, it may be difficult to implement (P7|) exactly. Instead, we may 
only be able to perform an approximate quantum sampling transformation 
satisfying 

[X,W) e Zbad 

for some states |^^), where -^goodj-^bad form a partition of the matrix sum 
instances {x, w) for which rj^ > 0. The good matrix sum problem instances 
(x, w) € ^good are those for which the quantum sampling can be done cor- 
rectly. Assuming the bad matrix sum instances {x, w) £ .^bad can be recog- 
nized, we can ensure that (S^l/x^,) = for all x G Z^, w, w' G Zjy. Applying 
the approximate quantum sampling transformation followed by the Fourier 
transform gives the state 



where 




+ yz ^"^^-^'Wi^r) 1 (32) 



(a;,-u;)GZbad 

for some states jz^J) with {jliyj,} = for all x G Z^,j, j' G Zat (since 

{^w\Pw') ~ ^ ^'-'^ ^ ^ '^%-,w,w' G Zat and (jSU)) is unitary). The fidelity 
between the ideal final state p' and the actual final state p'^-p^ resulting from 
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approximate quantum sampling is thus 

(MNf ^ ^^^^ 

Now 7]^ > 1 for all {x,w) G ^good) so if |^good| is sufficiently large, the 
actual final state is close to the ideal final state, and hence a measurement 
of the first register yields the hidden shift s with reasonable probability. As 
we will show in the next section, the instances with 1 < < 4 can be 
quantum sampled efficiently (i.e., these instances are good). Then, letting 
M = [N^^^l, Lemma 2 shows that l^goodl/-^^"''^ is lower bounded by a 
constant, and thus the fidelity between p' and p'^^^ is lower bounded by 
a constant, so that the probability of successfully determining s is lower 
bounded by a constant. 



4. Solution of the matrix sum problem 

Recall that the matrix sum problem for the generalized hidden shift 
problem is the following: given x G and w ^ I^n chosen uniformly at 
random, find h G {0, . . . , M — 1}^ such that b ■ x = w mod N. This is 
a linear equation over m. k variables, where the solutions are required 
to come from {0, . . . ,M — 1}. Such solutions can be found using integer 
programming, which has an efficient algorithm if M is sufficiently large. We 
assume M = \_N^/'^\ for some positive integer c > 3. Since we can always 
decrease M by only considering a subset of the inputs to the first argument of 
the hiding function /, this will not constitute a loss of generality. According 
to Lemma 121 we take fc = c so that there are between 1 and 4 solutions with 
probability at least some constant. 

To see the connection to integer programming, we note that the solutions 
form an integer lattice. We begin by considering the equation b- x = w mod 
N as a {k + l)-variable linear equation over all the integers Z. Define an 
extension of a: by x := {xi, . . . ,Xk, N) and consider the solutions b G Z'^"'"^ 
of the equation b ■ x = w. For any 6 G Z'^ that solves the equation b ■ x = 
w mod N, there is a unique A G Z such that b = (b, A) is a solution tob-x = 
w; and conversely, for any b G 'Z^'^^ that solves b ■ x = w, there is a unique 
6 G (namely, the first k components of b) that solves b ■ x = w mod N. 
Hence there is a bijection between the solutions b G Z^"*"^ to the equation 
b ■ X = w and the solutions 6 G Z'^ to the equation b ■ x = w mod N. 

By Lemma m in the appendix, we see that the linear Diophantine equa- 
tion b ■ X = w will have no solutions if gcd(a;i, . . . ,Xk, N) does not divide 
w. lib ■ x = w does have a solution, then the solutions b comprise a shifted 

/c-dimensional lattice b^^^ + L with some particular solution b^^^ satisfying 
6(0) 

■ x = w and the elements of L C Z^"*"^ the solutions of the equation 
b ■ X = 0. By omitting the last coordinate of these solutions, we obtain all 
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solutions b & Z^, which comprise a shifted /c-dimensional lattice in Z^: 

k 

6 = 6(°) + J]]/3j6(^) (34) 
i=i 

for all . . . , E Z. Due to the aforementioned bijection, each solution b G 
l]^ has a unique set of coordinates Pi, . . . , Pk £ Z- The vectors b^^^ , • • • , b^''^ G 

can be found efficiently by applying the extended Euclidean algorithm 
to the equation b ■ x = w (see for example Algorithm 1.3.6 in |B]). 

To solve the matrix sum problem, we would like to find the solutions b 
that lie in {0, . . . , M — l}'^, which is the set of integer points in the convex 
region described by the inequalities 

0<6i<M-l, i = l,...,k. (35) 

The problem of finding such points (or more precisely, deciding whether such 
a point exists) is simply an instance of integer programming in k dimensions, 
which can be solved efficiently if A; is a constant. In general, the integer 
programming problem is the following. Given a rational matrix A G Q"^xfc 
and a rational vector 7 G Q"*, does there exist an integral vector /? G Z*' 
such that Afi < 7? Although this general problem is NP-complete [SlllZj. 
if the dimension k is held constant, then the problem can be solved in time 
polynomial in the input size [20] using an algorithm based on lattice basis 
reduction '191. 

By rewriting the convex constraints (jSHJ) in terms of the lattice of so- 
lutions (|34|1 . we see that solutions of the matrix sum problem correspond 
precisely to vectors /3 G satisfying the constraints 

k 

Y^P^b^U{M-l)-bf\ i = l,...,k (36) 



EM 



<br, i = i,...,k. (37) 

But this is precisely an instance of integer programming in k dimensions 
with m = 2k constraints, with 



^«i= \m . , (38) 




Therefore, it can be solved efficiently whenever A: is a constant. Note that 
integer programming as described above is a decision problem, whereas we 
would like to find the actual solutions. However, this is easily accomplished 
using bisection, recursively dividing the set {0, . . . , M — 1}^ into halves, 
to find all of the solutions efficiently (for the cases in which there are few 
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solutions — in particular, for those for which there are between 1 and 4 so- 
lutions). 

Overall, we see that we can efficiently solve the matrix sum problem (in 
a regime where the pretty good measurement solves the generalized hidden 
shift problem with constant probability) whenever M > N'' for some fixed 
e > 0. For the cases in which the number of solutions is small, they can be 
explicitly enumerated, and hence we can efficiently perform the approximate 
quantum sampling transformation (|3fl|) (see for example footnote 2 of j3]). 
Therefore, we find the following result. 

Theorem 3. The generalized hidden shift problem with M > for any 
fixed e > can he solved in time poly(log N) on a quantum computer. 

Proof. Given e, we will use k = max{[l/e],3} copies of the unknown 
quantum state (jSJ . Because the generalized hidden shift problem on the full 
domain {0, . . . , M — 1} x Zjv can be solved by solving the same problem on 
a reduced domain {0, . . . , M' — 1} x Z^r with M' < M, it is sufficient to 
prove the theorem for a specific M < N*". We will do this for M = [A^-'^/'^J. 

By Lemma 13 there is a constant probability of having between 1 and 4 
solutions to the random matrix sum equation h-x = w mod N ^ and hence the 
success probability of the pgm is also a constant (by Lemma^). The efficient 
approximate implementation of this measurement is described in the second 
half of Section |31 in combination with the results on integer programming 
that are described in the first part of Sectional □ 

In fact, the algorithm remains efficient even if e decreases (very) slowly 
with A^. Lenstra's algorithm for integer programming in dimension k takes 
time 2^^^^^ [201) so the generalized hidden shift problem can be solved ef- 
ficiently for M = A^'-'(^/('°si°g^)^''^). Indeed, a subsequent improvement by 
Kannan solves fe-dimensional integer programming in time 2^^^^°^^'> jl6j . 
which can be used to decrease M slightly further. 

5. Discussion 

We have applied the pgm approach to the generalized hidden shift prob- 
lem, which interpolates from the dihedral hsp to the abelian hsp as M varies 
from 2 to A^. We found an efficient quantum algorithm for this problem for 
any M > N'' with e fixed (or decreasing very slowly with A^). The algorithm 
works by solving the matrix sum problem using Lenstra's algorithm for in- 
teger programming in constant dimensions, thereby illustrating (as in 0|) 
that nontrivial classical algorithms can be useful for implementing entangled 
measurements to distinguish states obtained by Fourier sampling. 

Our original motivation for studying this problem was the observation 
that a solution to the generalized hidden shift problem for sufficiently small 
M could lead to new algorithms for the unique shortest vector in a lattice 
problem, just as Regev showed for the case M = 2 ^24,. Unfortunately, 
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M > N'' does not appear to be sufficiently small to yield interesting lat- 
tice algorithms. Nevertheless, attempting to solve the generalized hidden 
shift problem for yet smaller M may be a promising path toward improved 
quantum algorithms for lattice problems. Indeed, for the case M = 2, Ku- 
perberg's sub exponential-time algorithm outperforms the algorithm given 
in this paper, so it seems likely that an improved algorithm could be found 
for values of M intermediate between 2 and N''. 

Another problem suggested by this work is the following generalization 
of graph isomorphism. Suppose that we are given a list of n-vertex graphs 
Go, . . . , Gm~i, and are promised that either no two graphs are isomorphic, 
or Gb = 7r(G;,_|_i) for some fixed permutation vr € 5^ for 6 = 0, 1, . . . , M — 2. 
It would be interesting to show that this problem can be solved efficiently 
even for very large M (where the graphs can be specified by a black box in 
the case where M is superpolynomial in n). 
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Appendix: Number of solutions of the matrix sum problem 

In this section, we prove Lemma |2 Before giving the proof, we need the 
following fact: 

Lemma 4. For any fixed h, the number of solutions x G to the 
equation b ■ x = mod N is N'^^'^ gcd(6i, . . . , 6^, N). 

Proof. First, consider the case where N = p"^ is a prime power. Then 
gcd(&i, . . . , bi^,p^) = for some s G {0, 1, . . . , r}. In particular, there must 
be an index i such that gcd(6j,p^) = p^, and hence bi = cp^ for some c G 
{!,... ,p— 1}. Without loss of generality, assume i = 1. Now we can rewrite 
the equation 6 • x = as cp'^xi + Yl!j=2^3^3 ~ *-* modp^', or equivalently, 
since is a common divisor of all 6j, cxi = — X]j=2^j-^i niodp'""* where 
b'j = bj/p^. Because c G Z^r, for any fixed {x2, ■ ■ ■ ,Xk) G ly^"^ , there are 

p'^ solutions xi = (X]j=2 ^j-^i)/'- "I" '^P'^^ mod p*" (one solution for for each 
A G {0, . . . — 1}). Hence the total number of solutions (xi, . . . is 
pjk-ipS ^ proving the lemma for the case = p^ . 

Now if is not a prime power, let A^ = p^^ ■ ■ -p^* be the factorization 
of A^ into powers of distinct primes, and let r : Z^v ^ Z^ri x • • • x Z^n 
be the ring isomorphism provided by the Chinese remainder theorem: for 
X G Ztv, t(x) = (x mod p^^, . . . , x mod pp). Since r is a ring isomorphism, 
6 • X = mod A^ if and only if b • T{x)i = mod for alH = 1, . . . , t. By 
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the special case of the lemma for N a prime power, the number of solutions 
to the ith equation is p^^^'^ gcd(6i, . . . , hence the total number 

of solutions is nLiP?^'"'^ gcd(6i, . . . , 6^,^^) = A''"' gcd(6i, ...,bk,N) as 
claimed. □ 

Now we are ready to give the proof of Lemma El 

Lemma 2. For the generalized hidden shift problem with M = [A^^/'^J 
with k > 3 and N sufficiently large, Pr(l < < 4) is lower bounded by a 
constant. 

Proof. The main idea of the proof is the same as in the proof of 
Lemma 5 of [3]: we show that the variance of r]^ is small, so that the num- 
ber of solutions of the matrix sum problem is typically close to its mean. 
Because we have M = [A^^/'^J , the mean value of r]^ is fi := 'Ex^w[ilw] — 
M''/N = 1 + 0{1/N) as N grows. 

The variance of the number of solutions b G {0, . . . , M — l}'^ of the 
equation b ■ x = w mod for uniformly random x G "L^^w G Zjv is cr^ : = 
^xAi'nlf] - and 

Ej(r?:)^] = ^ {r^lf (40) 



= E ( E ^b-x,n. J ( Yl ^c.x,u, ) (41) 

^ jyfc+1 E I E ^b-x,w + Yj ^b-x,w h-x,c-x j (42) 
x,w \ b b^c I 

(with the 6, c summations over {0, . . . , M — l}*^). The first (diagonal) term 
is just the mean. To handle the second (off-diagonal) term, we can write 



^+]^E E (44) 



bi^c 
b+c 
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where the next to last step follows from Lemma 01 Now for any q £ 
{0, . . . , M — 1}, for a fixed value of Cj, there are 1+ [{M — Ci — l)/q\ + [ci/q\ < 
1 + M/q choices of bi G {0, . . . , M — 1} that are divisible by q, and hence 
the number of 6, c such that gcd(6i — ci, . . . ,bk — Ck) = q is upper bounded 
by M'=[(M + q)/qf. Therefore, for fixed /c > 3 and M^/iV = 1 + 0(l/iV), 
we have 



q=l 
M-1 



A* 



<fi + 



w 

vr 



M + q 



EE 

q=l j=0 



Mi 



fc /, \ oo 

0(M2logM) + ^ ( .jM^Yl 



0{M^ logM) + 



J=3 
2 

-y 



^i + — +o{l) 



(47) 



(48) 



(49) 



(50) 



(51) 



where in the next to last step we have used the fact that X^g^i 9 ^ < vr /6 
for any j > 3. As ;U = M^/N = 1 + o(l), we find = E^,^[(r?2,)^] - < 
7rV6 + o(l). 

Since the variance is small, Chebyshev's inequality shows that the prob- 
ability of deviating far from the mean number of solutions is small: 

^2 



Pr(|7?S-^|>A)< 



a 
A2 



(52) 



Putting A = 4 and using the fact that r/^ must be an integer, we find 
Pr(r/^ > 5) < 7rV96 + o(l). 

To see that we are unlikely to have no solutions, we need a slightly 
stronger bound than the Chebyshev inequality. Since S N, we have 
Pr(?7^ = 0) < fT^/(^^ + (T^) Ij p. 58]. Now, noting that the gcd in (jlSl) is at 
least 1, we have 



E[(r?:)2]>M + 



11 



iV2 



2 + o(l) 



(53) 



so that > 1 + o(l). Therefore, we find Pr(r/^ = 0) < 7rVl2 + o(l). 
Combining these results, we see that Pr(l <ril<A)>l- 37rV32 + o(l) > 
0.0747 + o(l), so that the probability is lower bounded by a constant for 
sufficiently large A^. □ 

While the above bounds apply to arbitrary values of A^, they are not 
tight, and better bounds can be obtained using knowledge of the factor- 
ization of A^. For example, if A^ is prime, cr^ ~ 1. For k = 2, the above 
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argument is not sufficient except for special values of N (such as A'' prime); 
indeed, if N has an unbounded number of distinct prime factors, then it ap- 
pears that the variance of rj^ might be unbounded. However, for this case, 
one can simply decrease M and use k = 3 copies, as mentioned previously. 
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